The Best OT Protection Does So from Within the Endpoints

Private sector owners of critical infrastructure need to slash their OT attack surface exposure.

FBI Director Wray said,

"When one victim company set up a honeypot—essentially, a trap designed to look like a legitimate part of a computer network with decoy documents—it took the hackers all of 15 minutes to steal data related to the control and monitoring systems, while ignoring financial and business-related information, which suggests their goals were even more sinister than stealing a leg up economically.”

Some water, electricity, gas, and other orgs have built a fortress around their OT infrastructure. However, the moat does little good if the drawbridge is frequently down. Cyber defenders must expect intrusions from entry vectors known or unknown.

Mitigating those risks means reducing attack surface WITHIN the endpoints behind the moat. AV, EDR, XDR, and even MFA are not enough. Session hijacking means that any remote laptop that the MFA guarded drawbridge potentially allows adversaries.

The detection defenses succeed only if a familiar pattern is recognized. Frankly, such detections rely heavily on the people using your detection defenses. What percentage of detection alerts don't get investigated; how long do those take? Need many more personnel; that's not likely to happen. You need to reduce the attack surface WITHIN your endpoints inside and outside of the moat. That means another layer of protection is needed. And, its a layer most orgs don't have at all or don't have one that suffices.

The added layer is controls-based protection, which stops attacks that AV, EDR/SDR miss entirely or detect too late. It defeats cyber attacks by not allowing the adversary to successfully perform malicious activities WITHIN your endpoints. Some examples include: launching or loading an executable, script file, or DLL; instructing an OS utility to perform harmful actions; hijacking a legitimate unpatched application; injecting malicious code into the memory of a legitimate application; stealing credentials; altering select parts of the host; etc. In this SHORT list, application control ONLY handles the first item directly; application containment (ie, peri-execution) can handle others. Without this protection layer, the chances of successfully repelling a sophisticated attack by the threat actors Director Wray is talking about are very low.

Unfortunately, defenders had better shop carefully and test thoroughly. Here's a pro tip: most such tools either don't do enough or are too onerous to fully utilize. A practical implementation doesn't just include vendor provided policy rules. It's more important that the tool itself is based on tech employing simplifying abstractions that enable the controls to auto-adapt to changes, variations, and unanticipated dynamics. Data sheets and presentations tend to accentuate the hypothetical. When evaluating candidate tools, find out what features are routinely enabled and what are on by default. Answers to those questions tell you whether the tool and its features are practical enough to use.

AppGuard is a controls-based tool based on three fundamental controls: launch, containment, and isolation. The combination of these defeats sophisticated attacks. The patented technology makes it practical; it automatically adapts to endpoint changes and unanticipated activities. Ultimately, it's the best solution for keeping the water flowing, the electricity on, and other vital infrastructure running when FBI Director Wray's warning becomes devastating denial of service attacks.

Read Why AppGuard.


Subscribe to our blog to receive email notifications when new posts are added!